Ethical Hacking News
Pakistani-Linked Hackers Expand Targets in India with Sophisticated Malware Campaigns
Threat actors affiliated with Pakistan have been observed targeting various sectors in India with an array of sophisticated malware campaigns, including remote access trojans (RATs) and a previously undocumented malware family called CurlBack RAT. The activity was detected in December 2024 and has since been observed targeting various industries, including the railway, oil and gas, and external affairs ministries.
The threat actors affiliated with Pakistan have been targeting various sectors in India with sophisticated malware campaigns. The malware used includes remote access trojans (RATs) such as Xeno RAT, Spark RAT, and CurlBack RAT. The group has expanded its targeting footprint beyond government, defense, maritime sectors, and universities to include other prominent Indian entities. The hacking group has become more sophisticated in its approach, using advanced techniques like DLL side-loading, reflective loading, and AES decryption via PowerShell. Customized open-source tools such as Xeno RAT and Spark RAT are being used, along with newly identified CurlBack RAT. Credential phishing and payload hosting are being utilized for persistence and evasion of detection. Email-based phishing is being used to distribute malware, including lure documents and fake sites. A cross-platform remote access trojan known as Spark RAT has been deployed on both Windows and Linux systems. Advanced techniques like reflective loading and AES decryption are being used to evade detection. The group is believed to be part of the larger hacking group SideCopy, suspected to be a sub-cluster within Transparent Tribe (aka APT36).
In a concerning development, threat actors affiliated with Pakistan have been observed targeting various sectors in India with an array of sophisticated malware campaigns. According to recent findings by Seqrite, a cybersecurity firm based in India, the hacking group has expanded its targeting footprint beyond government, defense, maritime sectors, and universities to include other prominent Indian entities.
The malware in question includes remote access trojans (RATs) such as Xeno RAT, Spark RAT, and a previously undocumented malware family called CurlBack RAT. The activity was detected in December 2024 and has since been observed targeting various industries, including the railway, oil and gas, and external affairs ministries.
One notable shift in recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This change is significant, as it indicates that the hacking group has become more sophisticated in its approach, leveraging advanced techniques such as DLL side-loading, reflective loading, and AES decryption via PowerShell.
Furthermore, the group has been observed using customized open-source tools such as Xeno RAT and Spark RAT, along with deploying newly identified CurlBack RAT. Compromised domains and fake sites are being utilized for credential phishing and payload hosting, highlighting the group's ongoing efforts to enhance persistence and evade detection.
The threat actors have also employed email-based phishing as a distribution vector for malware, sending various kinds of lure documents ranging from holiday lists for railway staff to cybersecurity guidelines issued by public sector undertakings such as the Hindustan Petroleum Corporation Limited (HPCL).
One cluster of activity is particularly noteworthy given its ability to target both Windows and Linux systems, ultimately leading to the deployment of a cross-platform remote access trojan known as Spark RAT and a new Windows-based malware codenamed CurlBack RAT that can gather system information, download files from the host, execute arbitrary commands, elevate privileges, and list user accounts.
Another cluster has been observed using decoy files as a way to initiate a multi-step infection process that drops a custom version of Xeno RAT, which incorporates basic string manipulation methods. This approach highlights the group's continued maturation and its efforts to evade detection through the use of advanced techniques such as reflective loading and AES decryption.
The threat actors are believed to be part of a larger hacking group known as SideCopy, which is suspected to be a sub-cluster within Transparent Tribe (aka APT36) that has been active since at least 2019. The group's activities have been closely monitored by Seqrite, which has observed various patterns and tactics in its malware campaigns.
In June 2024, Seqrite highlighted SideCopy's use of obfuscated HTA files, leveraging techniques previously observed in SideWinder attacks. The files were also found to contain references to URLs that hosted RTF files identified as used by SideWinder.
The latest findings demonstrate a continued maturation of the hacking group, coming into its own while leveraging email-based phishing as a distribution vector for malware. These efforts underscore the need for Indian organizations to remain vigilant and proactive in protecting themselves against sophisticated cyber threats.
In conclusion, the recent malware campaigns observed by Seqrite highlight the growing sophistication and threat landscape in India. It is essential that Indian organizations and individuals take proactive measures to protect themselves against these types of attacks, including implementing robust cybersecurity measures, staying informed about emerging threats, and adopting a zero-trust approach to security.
Related Information:
https://www.ethicalhackingnews.com/articles/Pakistan-Linked-Hackers-Expand-Targets-in-India-with-Sophisticated-Malware-Campaigns-ehn.shtml
https://thehackernews.com/2025/04/pakistan-linked-hackers-expand-targets.html
https://howtofix.guide/xeno-malware/
https://www.pcrisk.com/removal-guides/28871-xeno-rat
https://cybersecuritynews.com/hackers-using-sparkrat-in-wild/
https://www.broadcom.com/support/security-center/protection-bulletin/sparkrat-a-cross-platform-modular-malware
https://attack.mitre.org/groups/G0134/
https://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/
Published: Mon Apr 14 03:21:37 2025 by llama3.2 3B Q4_K_M
